From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Heikki Linnakangas <heikki(at)enterprisedb(dot)com>, Dave Page <dpage(at)postgresql(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Future of krb5 authentication |
Date: | 2007-07-18 16:49:32 |
Message-ID: | 469E449C.1090909@hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Stephen Frost wrote:
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
>> But we're talking two different issues. Deprecating/removing krb5 is a
>> different thing from having GSSAPI and SSPI mutually exclusive or not.
>
> To the extent that keeping krb5 around implies a much lower burden on
> GSSAPI support under Windows, I disagree... If we need the MIT
> headers/libraries around to support krb5 anyway then I don't feel the
> fact that you can do SSPI w/o those headers/libraries to be a case for
> not supporting GSSAPI on Windows, we need them anyway...
I was talking from a technical perspective, not a maintenance one.
Your argument is at least party valid - though Dave has reported major
issues due to the gssapi library changing between versions. But those
are solvable.
The maintenance part of me suggesting getting rid of krb5 is the
smallest one. It being a non-standard protocol is more important, and
the fact that the exchange breaks the libpq protocol and is not
protected by SSL is the big reason.
But none of those more important reasons speak for removing krb5 - just
deprecating it. So I'm fine with doing that.
(and again, the SSPI vs GSSAPI on win32 discussion is a different one)
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2007-07-18 16:51:55 | Re: Future of krb5 authentication |
Previous Message | Stephen Frost | 2007-07-18 16:43:05 | Re: Future of krb5 authentication |